Mark Bregman | True identities

The real issue in the network world is not how I manage your identity once I've established it'that's what public-key infrastructure does. The real issue is how do I establish my identity in the first place.

Who are you? Mark Bregman really wants to know. The new chief technology officer for Symantec Corp. of Cupertino, Calif., is thinking hard about how to define the elements that make up a person's identity and how that individual can assert such an identity in cyberspace.

Most people think of Symantec as providing protection from computer viruses and worms or, if you're a system administrator, as a provider of software for backing up computer files across an enterprise. The company, however, has been realigning itself as one that can help organizations manage risk in their IT infrastructures. And, as Bregman points out, identity management is a crucial element in risk management. We talked to Bregman about identity management as well as other security concerns of late, such as botnets and the rapid proliferation of spam.

GCN: In public talks, you've been speaking about how identity plays an increasingly important role in security. Elaborate.

Bregman: What we've started to see over the last 12 months is that there is another layer above the information that is becoming more important to security, and that is the interactions. If you want to access a bank or an e-commerce site, you're interacting with that service. How do you know they are who they say they are? How do they know you are who you say you are?

GCN: How will Symantec tackle this problem?

Bregman: The real issue in the network world is not how I manage your identity once I've established it'that's what public-key infrastructure does. The real issue is, how do I establish my identity in the first place?

In the physical world, when you come to work for a company, [human resource personnel] do a lot of background checks'they meet you face to face, they check some physical identity documents. They do a background check and then they issue you a credential, like a badge or a password'and that is sort of a credential to manage the access and authentication.

[We are becoming] a broker of identity so you can, as an individual, establish your identity with us through some set of processes. And having done so once, you can use those credentials elsewhere [in cyberspace], because we're trusted by the third parties to establish your identity.

GCN: That sounds like Passport, a failed attempt by Microsoft Corp. to establish a universal log-in service.

Bregman: Well, yes and no. Passport was a little too heavy-handed in the way it was administered. Microsoft wanted to control the identity. The key issue, I think, is that individuals need to control their own identity. It is your identity, not Symantec's, so we will be a broker, as opposed to being the owner, of the identity.

GCN: Would you seek government input?

Bregman: Clearly, at some point, the actual source of the identity will probably come from the government, but that will take some time.

In the meantime, there are mechanisms we could use that would be analogous to a credit rating. If I want to get a loan, the bank will go to Equifax to learn about my credit-worthiness. Equifax does not certify my credit-worthiness, it [offers] a collection of publicly available data that has been correlated to offer a picture.

The same thing is true for identity. Without having a government-issued identity, I can assert to somebody that this is my name. I could say I have an address and you can look it up. I have some records that say where I lived in the past. And if I weren't Mark Bregman, maybe you wouldn't know those addresses. You could ask what the last item was that I charged on my credit card. So you start to narrow in on confirming or establishing my identity.

Now [that approach] might even be better than a government-issued identification card. Even in the physical world, it is not that hard to get a fake ID. You show up with a birth certificate. What is a birth certificate? Well, it's a piece of paper that says someone was born with that name, but it doesn't have any DNA, fingerprints or anything. The person [applying for the ID] has to be the same sex and around same age, and that is pretty much it. We could build a history of someone's life, and that might be better as a form of identity.

GCN: Elsewhere in the security field, we've been hearing a lot of botnets, or networks of user computers surreptitiously controlled by spammers. What does Symantec see in this area?

Bregman: One of the general trends is that the vast majority of threats have moved in the past few years from being very visible to being indiscriminate. In the past, there was a lot of what was effectively graffiti, or vandalism. The whole point of the people perpetuating it was to get attention.

It has gone from vandalism to being real crime for financial return. Criminals aren't stupid. The best way to break in and steal something is to not let you know they are in the house until you've discovered what is missing. ... Cybercriminals are doing much more subtle things and much more targeted things.

That is why we're seeing a shift from worms and viruses that are visible and cause problems on your machine to [those] that are not visible. The best ones are not visible. If you don't know they are there, you're not going to get rid of them.

I had a conversation with a guy who founded a small company. ... He said, 'I don't understand it. The only machines in our offices that get viruses are the ones with antivirus software. The other machines never have a problem.' So I say, 'Do you notice that they are getting slower and slower?' He said, 'Well, after nine months I have to replace them, they just wear out.'

Of course, computers don't just wear out. They get filled with junk. I just think people aren't thinking about it that much. They're seeing this 80 percent growth in spam, but they haven't yet recognized that ... it is not just the spam that is the problem, but it's the botnets and other things.

I think government is realizing this. If you're an intelligence agency or a defense agency, you certainly don't want uncontrolled stuff running on your machines.

GCN: Recently our reviewers praised a spam filtering appliance from Sendio Inc. that uses a novel form of spam filtering called challenge-and-response [GCN.com/730]. What do you think of this approach?

Bregman: This is something we've looked at. The problem is that it is very cumbersome. ... The first time you e-mail someone, you get a challenge back. Then you send back something, which puts you on the Safe List. And that is fine until you change your e-mail address, and then you have to do it again. It is not clear how well it scales. And of course, there are ways to get around that. And soon as you know what a challenge response is, you can automate a response.

One of the real challenges of security is to not just protect things but to do it in such a way that ... you [don't] spend all your time on security. ... Think about airport security. It's almost to the point where it takes you so long to get through airport security you might as well take the train.

About the Author

Joab Jackson is the senior technology editor for Government Computer News.